On Wed, Oct 21, 2015 at 9:52 AM Luke Dashjr wrote: > On Wednesday, October 21, 2015 7:39:45 AM Christian Decker wrote: > > On Wed, Oct 21, 2015 at 8:19 AM Luke Dashjr wrote: > > > This doesn't completely close malleability (which should be documented > in > > > the BIP), so I'm not sure it's worth the cost, especially if closing > > > malleability later on would need more. How about specifying flags > upfront > > > in the UTXO-creating transaction specifying which parts the signature > > > will cover? This would allow implementation of fully malleability-proof > > > wallets. > > > > As far as I see it the only remaining venues for malleability are the use > > of sighash flags that are not SIGHASH_ALL, as mentioned in the BIP. Any > use > > of non-sighash_all flags is already an explicit permission to modify the > > transactions, by adding and removing inputs and outputs, so I don't see > how > > these can be made non-malleable. Am I missing something? > > Signer malleability is still a notable concern needing consideration. > Ideally, > wallets should be trying to actively CoinJoin, bump fees on, etc any > pending > transactions in the background. These forms of malleability affect nearly > as > many real use cases as third-party malleability. > > Luke > How is signer malleability still a problem if we remove the signatures from the transaction ID of the transaction and all preceding transactions? The signer can re-sign a transaction but it won't change the transaction ID. It is still possible to double-spend transactions that do not have enough fees, so just starting a new round of CoinJoin is sufficient to bump fees for all parties that participate, and that would also result in the double-spent low fee transaction to be discarded, resolving the state of all coins in the first CoinJoin tx.